Nonce in secp256k1 ECDSA

[peakyclin77]

Hello everyone,

Here, the k values seem predictable and deterministic.

R1 = 0x5660647957179a737ee9f43d69ea7923ed179680acaea311986ba7bde67dd321
R2 = 0x566064795718a8c41789a5e3947f17cb2932dca737037bce9b49c7a75f606ce1

Relative Distance Ratio (Distance / n):
Fraction: 0.000000000000003751

[iceland2k14]

How is it predictable ?

The mathematical distance between R1 & R2 has nothing to do with the actual distance between their corresponding nonces. let me give you an example.

R1 = 0xa03aba6c1d66b0adff5f523b05ae59226b75a3c89c5755728d4278b4d02dec0
R2 = 0xd95ae6aa449d8243d4fc55ffa443c3f9982d235d4237fe0c187dba73b075b71d

Do you see how much is the mathematical distance between them. They looks to totally totally very far. No similarity at all. But if i say to you that they are very close and in fact in your terms of Relative Distance Ratio (Distance /N) they are = 0.00000000000000000000000000000000000000000000000000000000000000000000000000004 318

[flapduck]

Hello everyone,

Here, the k values seem predictable and deterministic.

R1 = 0x5660647957179a737ee9f43d69ea7923ed179680acaea311986ba7bde67dd321
R2 = 0x566064795718a8c41789a5e3947f17cb2932dca737037bce9b49c7a75f606ce1

Relative Distance Ratio (Distance / n):
Fraction: 0.000000000000003751

r = x(k*G) mod n. Closeness of r1 and r2 says nothing about k1 and k2. The x map and the mod reduction destroy any simple distance relation. You can see tiny r gaps from unrelated nonces.

Hello everyone,

Here, the k values seem predictable and deterministic.

R1 = 0x5660647957179a737ee9f43d69ea7923ed179680acaea311986ba7bde67dd321
R2 = 0x566064795718a8c41789a5e3947f17cb2932dca737037bce9b49c7a75f606ce1

Relative Distance Ratio (Distance / n):
Fraction: 0.000000000000003751

Agreed. Measure distance in scalar space, not by comparing r or x(R). Without k or leaked bits there is no handle. Real issues are nonce reuse, biased RNG, or partial-bit leaks that enable lattice attacks.